Facial Recognition Gets a Black Eye at Black Hat

WASHINGTON -- Biometric security technology promises to secure users through a "key" that's uniquely their own, like a fingerprint or a face. But as it turns out, it's not that hard for an attacker to get a hold of a biometric key.

They just need to replicate it.

No, the process doesn't involve cloning or harvesting organs. Instead, researcher Duc Nguyen demonstrated in a presentation here at the Black Hat security conference that all it takes is a photo to defeat biometric face-recognition technology found on notebooks from Asus, Lenovo and Toshiba.

Nguyen's findings come as enterprises and hardware vendors are seeking methods other than simple passwords to provide secure login information. Biometric locks are often seen as being more secure and more convenient. That's partly because their keys are thought to be difficult for a third party to acquire or fake, and because they avoid relying on passwords, which users often keep trivially simple to ensure they're not forgotten.

But Nguyen's findings could call into question how secure facial recognition technology actually is in its current state.

"All the face recognition techniques on all three laptops can be broken with a photo," Nguyen said during his talk. "I still don't believe it."

Though Asus, Lenovo and Toshiba each have their own unique algorithms, the basic mechanism for creating a legitimate biometric login is the same for all three: A user sits in front of their notebook while its built-in Webcam scans their face to create an image used for future identification.

Despite different names and approaches -- Lenovo's technology is named VeriFace, while Asus calls its solution Smart Logon and Toshiba's simply goes by Face Recognition -- Nguyen claimed that all three technologies had flaws that can enable an attacker to gain access.

He showed off the technique on an Asus laptop, demonstrating that a randomly selected audience member could successfully defeat the machine's security using just a color copy image of the owner's face.

"It means that this laptop is broken," Nguyen said. "We found that the algorithm for face recognition has a weakness, and based on that, a bad guy can create a fake face recognition login."

Nguyen added that while the Asus notebook enables its user to define the level of security for face recognition, he was able to defeat the technology at all security settings.

Bypassing biometric security with ease

Making matters worse is the straightforwardness by which an attacker could gain access to the machines, Nguyen said. He claimed that a hacker could use either a picture of the user or simply rely on a brute-force attack, in which he or she tests different facial elements in a composite image.

But brute force might not even be necessary, considering how simple it is to find a user's picture. Nguyen pointed to sources like Flickr and Facebook, as well as images captured during video chat on services like Skype or MSN, Yahoo and AOL instant messengers.

During his presentation, Nguyen demonstrated how he could produce an image capable of defeating face-recognition technologies by capturing a user's picture from a Skype video chat.

The researcher also successfully demonstrated failures in the notebooks' security using both high- and low-quality images, at various sizes and in both grayscale and full color. With the Lenovo notebook, Nguyen demonstrated that he had to move the photo around in front of the Webcam to mimic a real human's movements. The Toshiba required similar motion, while the Asus laptop did not require any motion.

That's in spite of the fact that at least one of the vendor's approaches to facial recognition is designed to avoid being fooled by images.

"The technology looks for eye movement to distinguish between a still photograph and a real person," Kristy Fair, a spokesperson with Lenovo, told InternetNews.com in an e-mail.